Encrypting databases with a new boot password

You can apply a new boot password to a Derby database
by specifying the newBootPassword attribute on the connection URL when
you boot the database.

If the database is configured with log archival for roll-forward recovery,
you must disable log archival and perform a shutdown before you can encrypt
the database with a new boot password.

If there are any global transaction that are in the prepared state after
recovery, the database cannot be encrypted with a new boot password.

If the database is currently encrypted with an external encryption key,
you should use the newEncryptionKey attribute
to encrypt the database.

When you use the newBootPassword attribute, a new encryption
key is generated internally by the engine and the key is protected using the
new boot password. The newly generated encryption key encrypts the database,
including the existing data. You cannot change the encryption provider or
encryption algorithm when you apply a new boot password.

To encrypt
a database with a new boot password:

Specify the newBootPassword attribute in a URL and reboot
the database. For example, when the following URL is used when
the salesdb database is rebooted, the database is encrypted
with the new encryption key, and is protected by the password new1234xyz: